Digital Identity - A legal Perspective

In her essay, Dr Clare Sullivan, Professor of Law at Georgetown University, Washington, advocates every individual’s right to his or her own digital identity.

By Dr Clare Sullivan

DIGITAL IDENTITY CAN BE PART OF THE INTERNATIONALLY RECOGNISED HUMAN RIGHT TO IDENTITY.

Technological advances have created a whole new environment for interaction. As dealings previously conducted in person are replaced by dealings without any personal interaction, the requirement to provide digital identity for transactions has increased. Now digital identity is poised to assume an even greater role as governments around the world move to fully digitalise government services and transactions. This is revolutionising service delivery and the way in which government transacts with its citizens. It has significant ramifications, especially for individuals.

Digital identity is an identity which is composed of information stored and transmitted in digital form. Digital identity is now being embedded in processes fundamental to economic and social order as governments around the world move services on-line. A person must use a digital identity to access these on-line services and to transact under the scheme. This is a fundamentally different way of transacting and it is elevating digital identity to an unprecedented level of personal, commercial, and legal significance.

THE RIGHT TO IDENTITY HAS NOT YET BEEN FORMALLY RECOGNIZED IN RELATION TO DIGITAL IDENTITY

Digital identity has functions which give it special commercial and arguably, legal standing. The set of information required for transactions has specific functions under the scheme that transform it from just a collection of information into much more. This transaction identity consists of full name, date of birth, gender and a piece of what is referred to as identifying information which is usually a signature or a numerical identifier, or sometimes a biometric like a fingerprint or face print. This set of information not only has meaning, it has function whereby it actually enables the system to transact.

Privacy protects most of the information that comprises an individual's digital identity because it is personal information. However, privacy does not clearly protect the small set of that constitutes an individual's transaction identity because it is essentially public in nature. In contrast, the right to identity can protect transaction identity. However the right to identity has not yet been formally recognized in relation to digital identity by legislation or judicial ruling.

THE RIGHT TO IDENTITY CAN PROVIDE SIGNIFICANT PROTECTION

As an internationally recognised human right, the right to identity is both a necessary and appropriate addition to the associated rights which arise as a consequence of digital identity and this new era of digital citizenship. These rights include the right to privacy but that right is comparatively weak in the protection it can provide to transaction identity because it is largely comprised of information in the public domain, and because privacy is a subordinate right that can be readily waived in the public interest.

The right to identity however can provide significant protection especially to transaction identity. The right to identity currently exists under international law and can be recognised in relation to digital identity. In this context, the right to identity is the right of an individual to an accurate, functional transactional identity and to its exclusive use. Significantly, unlike the right to privacy, the right to identity cannot be readily subordinated to the public interest and clearly applies to information in the public domain.

Formal recognition of the right to identity in relation to digital identity is now imperative. Recognition is necessary because digital identity schemes are inherently vulnerable to fraud and error because of the functions of transaction identity and because it consists of information which is largely in the public domain. Yet he identity recorded and used under all digital identity schemes is presumed to be authentic accurate and exclusive.

FRAUD OR SYSTEM ERROR ALSO FORMS PART OF THE INDIVIDUAL'S PROFILE

The consequences of fraud and system error are particularly concerning because of the impact on an innocent individual. Transaction identity directly implicates the individual linked to that identity under the scheme, regardless of whether or not that person actually used it to transact. This is because under the scheme, transactional rights and duties, including those arising under contract, attach to the digital identity, through transaction identity and that identity is linked to the person on record. If there is subsequent default, the transacting entity will, as a matter of practicality, and arguably law, look to the person who is on record as being linked to that digital identity.

A transaction which is the result of fraud or system error also forms part of the individual's profile for both commercial and law enforcement purposes. This can affect that person's ability to transact and may have a serious and long term impact on his/her profile and reputation. This is more than just a remote possibility. It is a direct consequence of the architecture of digital identity schemes currently in use around the world.

THE REAL DAMAGE IS CAUSED BY COMPROMISE THROUGH FRAUD OR SYSTEM ERROR

Despite the vulnerabilities and the impact on an innocent individual, attention has not been given to recognition and protection of individual rights in relation to digital identity, other than peripherally in relation to information privacy, and coincidentally, and to a more limited extent, by the criminal law. However, the issues faced by an innocent individual who is the victim of identity fraud or system malfunction are not adequately addressed by privacy or the criminal law. Even identity theft offences which have been specifically been enacted in many jurisdictions generally require proof of fraud and financial impact. All fail to recognize the intrinsic value of transaction identity itself and that the real damage is caused by its compromise through fraud or system error.

Recognition and legal protection of an individual's rights in his/her digital identity i.e. the right to identity in this context, is needed because of the vulnerabilities of all modern digital identity schemes and also because these schemes are in effect mandatory. Whilst alternative means of data entry may be available for people who for various reasons cannot use the system themselves for example, all transactions must still be processed through the system. Even if the initial contact is person to person, the required identity information still must be entered into, and the transaction processed through, the system.

THIS TYPE OF RIGHT CAN BE PART OF THE INTERNATIONALLY RECOGNISED HUMAN RIGHT TO IDENTITY

These schemes not only establish a revolutionary means of transacting, they fundamentally change the balance of responsibility and accountability between government and citizens. Individuals, the most vulnerable sector with comparably less access to resources and information, bear the risk and are most affected when the system does not operate as intended as consequence of fraud or system error. There is therefore a pressing need for recognition in law of the right of the individual to a unique, functional digital identity and to its exclusive use. This type of right can be part of the internationally recognised human right to identity and it can be recognised to protect an individual's digital identity in much the same way as the right to privacy has been recognised.

Recognition of the right to identity would substantially add to existing protection provided by privacy and the criminal law. Unlike the right to privacy, the right to identity cannot readily be subordinated, and it is more relevant to, and protective of, the most important part of digital identity i.e. transaction identity. Unlike the current identity theft offences, the right to identity also recognises and protects an individual's rights in his/her digital identity and provides redress in the event of compromise not just as a consequence of fraud but also in the event of spontaneous system error.

THIS CONTRIBUTION ON THE SUBJECT OF DIGITAL IDENTITY IS PART OF THE PROJECT "THE POSSIBILITY OF AN ARMY" BY ARTIST CONSTANT DULLAART.

ABOUT THE AUTHOR

Dr Clare Sullivan is cyber-law lawyer specializing in digital identity, privacy and cyber security. She is a Professor of Law at Georgetown University in Washington DC, USA and a Fellow at the Center Institute on National Security and the Law, at Georgetown University. Professor Sullivan has a PhD in cyber-law and was awarded both a Fulbright scholarship and an Australian government Endeavour Fellowship for her research in this field. She is the author of internationally published articles on digital identity and cyber security in, the UK, Europe, the US and Australia. Dr Sullivan authored the first report on international trade-based money laundering, and ‘Digital Identity,’ the first legal study of the legal implications of digital identity for individuals, businesses and government. Prior to joining Georgetown University, Professor Sullivan was faculty at the University of South Australia and prior to that she was in legal practice in Australia and internationally with Baker & McKenzie.